There's no evidence of this vulnerability being exploited in the wild, even though paying customers of the VulnDisco security product have been given access to a working exploit since February the 1st.

A patched Firefox release candidate is already available, so if you're really scared or impatient you can get it here.

As almost always happens, NoScript* has been protecting its users since day 0, keeping its promise of preventing exploitation of security vulnerabilities (known and even not known yet!).

Update 2010-03-23

In the meanwhile, Mozilla decided to go through the effort of anticipating Firefox 3.6.2 by one whole week for the greater good, so if you haven't seen the "Available update" message yet, just use Help|Check for updates now.

Now that vulnerability details are not embargoed anymore, I can add that exploitation required the browser to load a specially crafted web font. The relevant NoScript feature protecting against this is NoScript Options|Embeddings|Forbid @font-face, which is checked by default.